<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Tahoma"><PRE># This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#
Rule:

--
False Positives: When using ACID, and when ACID does it's reverse lookups (easier to replicate when many reverse lookups are occuring.), the returned information appears to SNORT to be this kind of attack.</PRE><PRE> When the network is busy, I have been able to replicate this at will. The source IP will show up as coming from UDP port 53 from the DNS in making the "attack".